Secure key from bound entanglement 
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We characterize the set of shared quantum states which contain a cryptographically private key. 
This allows us to recast the theory of privacy as a paradigm closely related to that used in entangle- 
ment manipulation. It is shown that one can distill an arbitrarily secure key from bound entangled 
states. There are also states which have less distillable private key than the entanglement cost of 
the state. In general the amount of distillable key is bounded from above by the relative entropy 
of entanglement. Relationships between distillability and distinguishability are found for a class of 
states which have Bell states correlated to separable hiding states. We also describe a technique for 
finding states exhibiting irreversibility in entanglement distillation. 



Recently, strong connections have been emerging be- 
tween the amount of pure entanglement E'^) and the pri- 
vate key Kjj one can distill from a shared quantum state. 
For example, the security of key generation in BB84 |l| 
and B92 [jI can be proven by showing its equivalence 
with entanglement distillation of singlets These 
proofs had their origin in the idea of quantum privacy 
amplification |^ where two parties (Alice and Bob) dis- 
till pure quantum entanglement until the quantum cor- 
relations are completely disentangled with an eavesdrop- 
per (Eve). Those correlations were represented by singlet 
states and were subsequently measured to obtain a classi- 
cal private key to which Eve had no access. Very recently, 
the hashing inequality 0, Q| was proven by showing 
the equivalence between certain distillation protocols and 
one way secret key distillation. 

An apparent equivalence between bound entangled 
states (states which require entanglement to create, but 
from which no pure entanglement can be distilled) and 
classical distributions which can not be turned into a key 
was conjectured in 0. Additionally, using techniques de- 
veloped in entanglement theory, a gap similar to the one 
between entanglement cost and distillable entanglement 
was shown to exist classically for private keys |1^ . It has 
also been shown that for two qubits, a state is one copy 
distillable iff it is cryptographically secure (c.f. 
[l^ Il3| ) , and there are basic laws which govern the in- 
terplay of key generation in terms of sent quantum states 

a 

In fact, the original papers on entanglement distilla- 
tion used protocols which were derived from existed 
protocols for distilling privacy from classical probability 
distributions. Indeed, formal analogies between entan- 
glement and secrecy exist 15j. The evidence to date 
strongly supports the widely held belief that privacy and 
entanglement distillation are strictly equivalent - that 
one can get a private key from a quantum state if and 
only if entanglement distillation is possible. 



Surprisingly, this is not the case - we will introduce 
a class of bound entangled states (no pure entanglement 
can be distilled from them), from which one can distill 
a private key. Examples of states that have one bit of 
perfect private key and at the some time arbitrarily small 
distillable entanglement are also provided. 

Clearly, one always has Kd > Ed since one can always 
distill singlets from a state, and then use these singlets to 
generate a private key 0|. Here, we prove that one can 
also have the strict inequality Kd > Ed, which some- 
times holds even if Ed = 0. We will also prove that the 
private key is generally bounded from above by the rela- 
tive entropy of entanglement E^ [t^ (regularized). This 
will be sufficient to prove that one can have Kd < Ec 
where Ec is the entanglement cost (the number of sin- 
glets required to prepare a state under LOCC). This en- 
ables one to easily find states for which Ed < Er- In 
the present paper we will state some of the results and 
present the full proofs in detail elsewhere |l8| . 

We will first introduce a wide class of states which are 
the most general private states in the sense that one can 
produce one bit of secure key from them even though 
an eavesdropper might hold the purification of the state. 
One can think of these states as being the equivalent of 
the singlet for key distillation. This will allow us to recast 
all protocols of key distillation (classical or otherwise) in 
terms of distillation of private states using the distant 
labs paradigm used in entanglement theory i.e local op- 
erations and classical communication (LOCC). Next we 
show that these states can have arbitrary little distillable 
entanglement while still retaining one bit of private key. 
We can relate this to the problem of distinguishability of 
states under LOCC. We then exhibit a bound entangled 
state from which a private key can be distilled. We then 
prove that Kd < E^ and discuss the consequences. 

Let us now introduce private states i.e. ^abA'B' where 
systems AB are both m-qubits, and measurement of AB 
in the computational basis gives m bits of perfect key. 
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Systems AA' {BB') are held by Alice (Bob). We assume 
the usual scenario - that any part of the state which is 
not with Alice and Bob might be with an eavesdropper 
Eve. Thus Eve holds the purification of this state. We 
will now provide their unique form. We first consider 
perfect security. 

Theorem 1. A state is private in the above sense iff it 
is of the following form 

lm^U\lP+^)AB{->i}t.A® QA'B'U'^ (1) 

where iV'j") — N) '^'^'^ QA'B' is an arbitrary state 

on A' ,B' . U is an arbitrary unitary controlled in the 
computational basis 

t/= E \^J)AB{^J\®U.:^'''' ■ (2) 

We will call the operation (O "twisting" (note that 
only ^ matter here, yet it will be useful to consider 
general twisting later). 

Proof. Wc will prove for m = 1 (for higher m, the 
proof is analogous). Start with an arbitrary state held 
by Alice and Bob, paa'bb'i sjhA include its purification 
to write the total state in the decomposition 

'^ABA'B'.E = a\QQi) ab\^ m) A' b' E + &|01)ab|1'oi)a'S'£; 

+c\\Q)ab\^w)a'B'E + d\ll)AB\^ll)A'B'E (3) 

with the states \ij) on AB and on A'B'E. Since the 
key is unbiased and perfectly correlated, we must have 
b = c = and |ap = |dp = 1/2. Depending on whether 
the key is |00) or |11), Eve will hold the states 

Qq = rr^'S'|*oo)(^'ool, Qi = TrA'B'\'^ii){^ii\ (4) 

Perfect security requires go — gi- Thus there exists uni- 
taries Uqq and Uu on A'B' such that 

i 

l*ii> = T.VF.\Ui<t>f'''M) . (5) 

i 

After tracing out E, we will thus get a state of the form 
Eq. (HJ, where qa'B' = J2iPi\4>i){(l}i\- I 

It is instructive to see the matrix of a general 71-statc: 

'a X" 


^1= 

_Xt (t'_ 

where the matrix is written in the computational basis on 
AB i.e. 1 00), 1 01), |10), |11) and the trace norm of block 
X is 1/2. Thus 71 looks like a Bell state with blocks 
instead of c- numbers, and the condition on \\X\\ can be 



associated with the fact that Bell states have the corre- 
sponding element (coherence) equal to 1/2. 

Let us briefly sketch the situation where one only de- 
mands approximate security for m = 1 . Consider in place 
of 71 an arbitrary state written in similar block form. 
One finds that the condition ||Ar'|| w 1/2, where X' is the 
upper right block, is equivalent to the state being close 
to 71 in norm. For the converse direction, one can verify 
that in terms of the fidelity F{g^, gf) = Tr|y^^y^f | 

\\X'\\ = ^^^Fip^,pf) (7) 

where pi are probabilities of Alice and Bob to obtain 
outcome ii, and pf are the corresponding Eve's states. 
Thus having approximate bit of key, i.e. uniformity po ~ 
pi « 1/2 and security F{pf, pf ) « 1 (implying « pf) 
is equivalent to sharing state close to 71. The result can 
be generalized to m > 1 [l^ . 

and thus that the resulting state be close in norm to 
some 71. 

This then completely recasts the drawing of key at a 
rate under local operations and public communica- 
tion (LOPC) in terms of distilling 7^ states (at a rate 
of under LOCC). Clearly Kj < Kd since distilling 
7m is a particular way of drawing key. Additionally, by 
Theorem 1, any secure protocol which distills Kn is also 
distilling 7„i with K-^ = Kd when one considers all of 
Alice and Bob's lab as the A' B' ancilla. I.e. if one ap- 
plies some protocol coherently (since the original LOPC 
protocol might be partly classical), one distills some 7™ 
at the full rate. We thus have equality of the two rates. 

Before showing that one can have bound entangled 
states which give secure key, we provide examples of both 
strict and approximate 7 states, which have an arbitrarily 
small amount of distillable entanglement i.e. Kd ^ Ed. 

Example 1. Consider states 

g^p\iP+){i^+\ ®g+ + {l-p)\iP-){iP-\ ® g- (8) 

where V'± = "Tf^l*^^^ =1= ^"^^ Q± reside on orthogonal 
subspaces. One can verify that these states are particular 
examples of 71 , and therefore produce at least one bit of 
private key. Eve (who holds the purification of the state) 
can learn the phase of the state on AB, i.e. whether 
Alice and Bob hold -0_ or She can help Alice and 
Bob obtain one singlet by telling them which maximally 
entangled state they possess. Yet she can learn nothing 
about the key bit (i.e. whether they have |00) or |11). In 
a sense. Eve can hold one bit of information but it is the 
wrong bit of information. Such a situation is impossible 
classically (or with pure quantum states held by Alice 
and Bob). 

To decrease the distillable entanglement, take p = (1 + 
\/d)/2 and g± to be two extreme Werner d® d states 

2 2 
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with Pas,Psym the anti/symmetric projectors. The log- 
negativity E'jv which is an upper bound on the distillable 
entanglement Ed amounts in this case to E]^{g) = 
log . Thus by increasing d one can have an arbitrary 
small amount of distillable entanglement while keeping 
one bit of private key. 

Example 2. We take g± to be two separable hiding 
states To and ti . We take here those given in 



resulting state is 



To = g. 



Ti = [{ga + gs)/2]' 



(10) 



By choosing d and / one can make them arbitrarily in- 
distinguishable under LOCC and arbitrarily orthogonal 
(since X = {ti — tq), orthogonality of the t's are needed 
for security i.e. ||X|| , while hiding is needed for low distil- 
lability). Choosing p — 1/2, one can show that distilling 
entanglement essentially reduces to Alice and Bob deter- 
mining which maximally entangled state they possess by 
performing measurements on the hiding state t. Choos- 
ing better and better hiding states decreases the distil- 
lable entanglement arbitrarily. Again we check this by 
use of log-negativity; one finds that E^ig) — \\tq — t{"|| 
where T stands for partial transpose. This quantity has 
been shown to be an upper bound for distinguishability 
of the hiding states, and for suitable choice of I and d it 
can be made arbitrarily small |2ll | . 

The idea behind both examples is similar: Alice and 
Bob share mixture of two Bell states, with flags which are 
flags distinguishable if one has access to the entire state - 
this gives security, but are poorly distinguishable by local 
operations and classical communication, which prevents 
Alice and Bob knowing which Bell state they share, hence 
dramatically decreases distillable entanglement. In both 
examples however, the states do have nonzero distillable 
entanglement. For strict 7 states, it is not hard to see 
that they are always distillable. It is then clear that 
any key from bound entangled states can be arbitrarily 
secure, but not perfectly secure. 

Main result. We now introduce a bound entangled 
state which can be shown to have Ke, > 0. We simply 
take the preceding state, and introduce errors 



f(T0+Tl) 






f(n - To) 





ih-p)^o 

{h~P)ro 







f(Tl - To) 




f(T0+Tl) 



(11) 



One finds that for p < 1/3 and y^{d - I) > d the 

state has positive partial transpose (PPT) being there- 
fore bound entangled [2^ . 

Now, we take n copies, and apply the recurrence dis- 
tillation protocol of [23| without the twirling step. The 



P = 



1 

N 



-hTl)]®" 

[(i-p)ro]«" 
[(i-p)To] 

- To)]®" 



[f(n 



ro)f 



(12) 

where N = 2p" 2 (1/2 - p)". To see that Alice and 
Bob have arbitrarily secure key, we check that the trace 
norm of off-diagonal block ||A"|| tends to 1/2: 



[f(TO 



(Tl-T2)]®"/7V 



1 



1 



2^' 



1 



(13) 



Now, for p > 1/4 the norm can be arbitrarily close to 1/2 
if we had previously taken I large enough, and now take 
large n. Given such Z, one could always have initially 
chosen d to satisfy the PPT condition of the initial state 
(lll|l . so that the state p' is PPT (as it is obtained from 
p by LOCC). 

Remark. Note that we need to use large I for security, 
large n for the state to approximate perfect key, and large 
d for the state to be PPT. Indeed, large d is needed for 
Ti to be hiding states, and if they are not hiding, then 
the state would be distillable by distinguishing between 
them, and then distilling the correlated singlet. 

Thus we have shown that we can get arbitrarily secure 
bit from bound entangled states The structure of our 
states sheds perhaps for the first time some light on the 
phenomenon of bound entanglement: they can contain 
singlets that are so "twisted", they cannot be distilled, 
but they can exhibit their quantum character through 
privacy. This explanation probably cannot be applied to 
low-dimensional bound entangled states. 

Having show that one can draw one bit of key, we 
now show that Alice and Bob can draw key at a nonzero 
asymptotic rate, using 

Lemma 1. For any state ipABA'BE consider the state 
9 ABE emerging after measurement on AB in the stan- 
dard basis. The latter state does not change under twist- 
ing, (the proof boils down to direct checking) 

Since trace norm of the off-diagonal block H12(l of the 
state is close to 1/2, by use of polar decomposition, one 
finds twisting operation after which trace of the block X 
is equal to its trace norm. For such new state p", by 
Lemma 1, Eve's states correlated with outcomes of AB 
measurements are still the same as for p'. Now how- 
ever, after tracing out A'B', the state is close to sin- 
glet. Clearly, the problem is reduced to drawing key from 
outcomes of measurement, from a state close to singlet, 
which can be doiie, for example, by the protocol of Deve- 
tak and Winter 'Sg. As we have already noted, this will 
draw 7 states at the same rate as when the corre- 
sponding classical protocol is applied coherently. 

We now provide a general upper bound on Kjj in 
terms of the relative entropy of entanglement Er{p) := 
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inf„(zsepS{p\\a), with S{p\\a) := Tr[p(ln p - In cr)] and 
Sep being the set of separable states. Namely we have 

Theorem 2. Kd{pab) < E^{pab)- where is 
the regularization of the relative entropy of entanglement 
E^{p) :=lim„_ooS,(p®")/n. 

Our proof is inspired by the idea that transition rates 
are bounded by LOCC monotones ji^li yet it needs essen- 
tially new techniques, mostly due to possibility of large 
scaling of the size of the ancilla A' B' with the number of 
obtained bits of key. We present it in . 

Since we can have i?r(p) < Ec{p) the above theorem 
implies that for some states, the key rate will be strictly 
less than the entanglement cost, and in fact, can be made 
arbitrarily small for fixed Ec- E.g. for anti-symmetric 
Werner state Qa we have Ec{ga) = 1 25] while E!^{ga) = 
log (d -I- 2)/d which can be arbitrarily low. 

In summary, we have found that in general E^ < 
Kd < E^ < Ec with strict inequalities Ed < Kd < Ec 
and Ejj < ES° also possible (the latter was shown pre- 
viously in [2g; our result allows for easy construction of 
new examples). One can even have Kn > for bound 
entangled states. This implies that the rate of distillable 
key is not only an operational measure of entanglement, 
but is also non-trivial in that it is not equal to other 
known operational measures: Ec and Ejj. This is also 
likely to be true for the quantum key cost Kc which we 
define to be the minimum size m of 7™ required to form a 
state in the asymptotic limit. These results also put into 
question the possibility of "bound information" for bipar- 
tite systems conjectured in 0, although the phenomena 
may well exist for distributions derived from other bound 
entangled states. Our results also suggest that the qual- 
itative equivalence between privacy and distillability in 
2 (g) 2 [llj is likely to be due to the fact that in low di- 
mensions, bound entanglement does not exist. 

One could define a unit of privacy, by calling 71 ir- 
reducible, if one and only one bit of privacy can be ob- 
tained from it. Irreducible private state may therefore 
be thought of as the basic unit state of privacy, much 
as the singlet is the basic unit of entanglement theory 
(although not all 7 states are equivalent to each other, 
thus one thinks of 7,„ in its entirety) . /^From theorem 2 it 
follows that irreducibility can be imposed by demanding 
that 71 have a relative entropy of entanglement of one. 
However we do not know if this condition is too strong. 

Here our interest in privacy is motivated by the funda- 
mental insight it gives into entanglement - there seems to 
exist a deep connection between the entanglement cost of 
PPT states, and privacy. In terms of cryptographic pro- 
tocols, the states considered here can be incorporated 
into an actual scheme by performing a suitably random- 
ized tomography protocol on the obtained states to verify 
that they are indeed close to the expected form. Such a 
protocol is highly inefficient, but appears to be secure for 
binding entanglement channels, although the scaling of 
security parameters may be qualitatively different than 



in BB84. Determining how efficient such a protocol could 
be is an interesting open problem. 
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